Re: [Vol-users] using hex values with strings command

Date: Wed, 18 Apr 2012 09:29:44 -0400

Subject: Re: [Vol-users] using hex values with strings command From: michael.hale(a)gmail.com To: dragonforen(a)hotmail.com CC: phatbuckett(a)gmail.com; vol-users(a)volatilityfoundation.org

Hi Mike, A little late, but hopefully you got your answer already. So we probably won't be expanding the strings command to use hex values, because by definition a string is only ascii/printable characters. But as Darren said you can use yara rules. If you're using a recent 2.1 alpha branch, the yarascan command is your best bet and its included in the 2.1 package already. $ python vol.py yarascan -h Volatile Systems Volatility Framework 2.1_alpha Usage: Volatility - A memory forensics analysis platform. .... -p PID, --pid=PID Operate on these Process IDs (comma-separated) -K, --kernel Scan kernel modules -W, --wide Match wide (unicode) strings -Y YARA_RULES, --yara-rules=YARA_RULES Yara rules (as a string) -y YARA_FILE, --yara-file=YARA_FILE Yara rules (rules file) -D DUMP_DIR, --dump-dir=DUMP_DIR Directory in which to dump the file Just a few examples: 1. Search for an ascii string in all processes $ python vol.py yarascan -Y "test" 2. Search for a unicode string in a specific process $ python vol.py yarascan -Y "test" --wide -p 428 3. Search for a hex string in kernel memory $ python vol.py yarascan -Y "{90 EB 77}" --kernel 4. Search for a regex in all processes $ python vol.py yarascan -Y "/t[e|a]s{1,2}t/" 5. Read all rules from a yara file and scan for them all $ python vol.py yarascan -y yara.rules MHL On Sun, Apr 15, 2012 at 2:11 PM, Mike Lambert <dragonforen(a)hotmail.com> wrote: > Hi David, > > In this case I'd say "no". I have the strings and their addresses I've > found > in memory. I'm looking for the PIDs that have the string in it. The > strings > output is exactly what I want and I can use it to do mass lookups. > strings > is quite nice for this job! > > I'll look more into yara rules. I need something that can be easy to use > for > many strings. > I am currently using encase and excel to export and format my memory > hits. > It only takes a few minutes to make the strings input file. This fits > the > bill for what I am using exactly if it is ascii, but not so well for > binary. > > I'll look closer at yara rules for this. > > Thanks and have a great weekend, > Mike > > ________________________________ > CC: vol-users(a)volatilityfoundation.org > From: phatbuckett(a)gmail.com > Subject: Re: [Vol-users] using hex values with strings command > Date: Sat, 14 Apr 2012 23:35:44 -0700 > To: dragonforen(a)hotmail.com > > > Hi Mike, > > Does malfind plugin + yara rule(s) work for your use case? > > DS > > On Apr 14, 2012, at 9:12 PM, Mike Lambert <dragonforen(a)hotmail.com> > wrote: > > I have read the command reference for the strings plugin and do not see > an > option to specify the string to look for in anything other than ascii. > > Could strings be expanded to include hex values, perhaps in the form of > \x55\x5e\xe2\xfd\x83\xc4 or something like that? > > Thanks, > Mike Lambert > > > _______________________________________________ > Vol-users mailing list > Vol-users(a)volatilityfoundation.org > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users > > > _______________________________________________ > Vol-users mailing list > Vol-users(a)volatilityfoundation.org > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >